Information Governance Policy Applicable to All employees Version1.0 Last Updated March 2014
CONFIDENTIAL Page 2 of 6 Contents 1. Objectives 3 2. Scope 3 3. Principles 3 4. Information Governance Policy 4 4.1 Sefton CVS Commitment 4 4.2 Openness 4 4.3 Legal Compliance 4 4.4 Information Security 5 4.5 Information Quality Assurance 5 5. Assessment and Monitoring 5 6. Responsibilities and Approvals 6 6.1 Sefton CVS Board 6 6.2 The Senior Information Risk Owner (SIRO) 6 6.3 The Caldicott Guardian 6 6.4 Information Governance Lead 6 6.5 All Employees 6 Version Control and Ownership Original Version Published: March 2014 This Version number: V1 Date Approved by Board: 19/3/14 Date Reviewed: Policy Owner: Ann Cartwright Sefton CVS - Information Governance Policy Page 2
CONFIDENTIAL Page 3 of 6 1. Objectives Sefton CVS considers information to be a vital asset in terms of the efficient management of services and resources, playing a key part in providing information, governance, service planning and performance management. It is therefore of paramount importance to ensure that information is efficiently managed and that appropriate policies, procedures and management accountability provide a robust governance framework for information management. 2. Scope This policy covers all aspects of information within the organisation, including (but not limited to): Client/Service User information Personnel information Organisational information This policy covers all aspects of handling information, including (but not limited to): Structured record systems paper and electronic Transfer of information e-mail, post, fax and telephone This policy covers all information systems purchased, developed and managed by/or on behalf of Sefton CVS and any individual directly employed or otherwise by the organisation. 3. Principles The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The organisation fully supports the principles of corporate governance, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about clients / staff and commercially sensitive information. The organisation also recognises the need to share client information with other partner organisations and agencies in a controlled manner, consistent with the interests of the client and, in some circumstances, the public interest. The organisation believes that accurate, timely and relevant information is essential to deliver and support the highest quality service provision. As such it is the responsibility of all staff to ensure and promote the quality of information and to actively use information in decision-making processes. Sefton CVS - Information Governance Policy Page 3
CONFIDENTIAL Page 4 of 6 4. Information Governance Policy 4.1 Sefton CVS Commitment 4.1.1 All legislative, contractual, regulatory requirements and national policy will be met 4.1.2 Business Continuity Plans will be produced, maintained and tested 4.1.3 Appropriate operational procedures exist to support this Policy 4.1.4 Appropriate training will be offered to relevant staff 4.2 Openness 4.2.1 Non-confidential information on the organisation and its services should be available to the public through a variety of media 4.2.2 The organisation will undertake or commission annual assessments and audits of its policies and arrangements for openness 4.2.3 Clients should have ready access to information relating to them in line with their rights as clients 4.2.4 The organisation will have clear procedures and arrangements for liaison with the press and broadcasting media 4.2.5 The organisation will have clear procedures and arrangements for handling queries from clients and the public 4.3 Legal Compliance 4.3.1 The organisation regards all identifiable personal information relating to clients as confidential 4.3.2 The organisation will undertake or commission annual assessments and audits of its compliance with legal requirements 4.3.3 The organisation regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise 4.3.4 The organisation will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act and the Common Law Duty of Confidentiality 4.3.5 The organisation will establish and maintain policies for the controlled and appropriate sharing of client information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act) 4.4 Information Security Sefton CVS - Information Governance Policy Page 4
CONFIDENTIAL Page 5 of 6 4.4.1 The organisation will establish and maintain policies and procedures for the effective and secure management of its information assets and resources 4.4.2 The organisation will protect its information assets from all threats, whether internal or external, deliberate or accidental 4.4.3 The organisation will undertake or commission annual audits/ assessments of its information and IT security arrangements 4.4.4 The organisation will promote effective confidentiality and security practice to its staff through policies, procedures and training 4.4.5 The organisation will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security 4.5 Information Quality Assurance 4.5.1 The organisation will establish and maintain procedures for information quality assurance and the effective management of records 4.5.2 The organisation will undertake or commission regular assessments and audits of its information quality and records management arrangements 4.5.3 Managers are expected to take ownership of, and seek to improve, the quality of information within their services 4.5.4 Wherever possible, information quality should be assured at the point of collection 4.5.5 The organisation will promote information quality and effective records management 5. Assessment and Monitoring 5.1 An assessment of compliance with requirements within the Information Governance Toolkit (IGT) will be undertaken each year. The requirements are grouped into the following initiatives: Confidentiality and Data Protection Assurance Information Governance Management Information Security Assurance 5.2 Summary reports and proposed action/development plans will be produced annually. The Board, or nominated committee, will sign off the IGT score before submission. 6. Responsibilities and Approvals Sefton CVS - Information Governance Policy Page 5
CONFIDENTIAL Page 6 of 6 6.1 Sefton CVS Board The Board has ultimate responsibility for the implementation of the provisions of this policy; they are responsible for the management of the organisation and for ensuring that the appropriate mechanisms are in place to support service delivery and continuity. The organisation has a particular responsibility for ensuring that it corporately meets its legal responsibilities, and for the adoption of and compliance with internal and external governance requirements 6.2 The Senior Information Risk Owner (SIRO) The SIRO takes overall ownership of the organisations Information Risk Policy, they will act as champion for information risk on the Board and provide advice regarding information risk and the effectiveness of information risk management. 6.3 The Caldicott Guardian The Caldicott Guardian will take a lead on Confidentiality issues ensuring that the organisation satisfies the highest practical standards for handling client identifiable information; they will act as the conscience of the organisation and will also facilitate and enable information sharing and advise on options for lawful and ethical processing of information; they will represent and champion Information Governance requirements and issues at Board level; ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff; and oversee all arrangements, protocols and procedures where confidential client information may be shared with external bodies. 6.4 Information Governance Lead The Information Governance Lead is responsible for providing specialist advice and support on all aspects of Information Governance. They are also responsible for reviewing the policy and ensuring it is updated in line with any changes to national guidance or local policy. They will maintain an awareness of information governance issues within the organisation; 6.5 All Employees All employees are responsible for: Ensuring compliance with this policy Seeking advice, assistance and training where required Sefton CVS - Information Governance Policy Page 6